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1 Introduction 

Public-key cryptography has proved to be an indispensable tool in the modern information security 
infrastructure. Most notably, digital signature schemes form the backbone of Internet commerce, 
allowing trust to be propagated across the network in an efficient fashion. In turn, public-key encryp- 
tion allows the private communication of messages (or, more usually, the establishment of symmetric 
secret keys) among users who are authenticated via digital signatures. The security of these classical 
public-key cryptosystems relies on assumptions on the difficulty of certain mathematical problems 
Pp. Gottesman and Chuang [2] initiated the study of quantum-public- key cryptography, where the 
public keys are quantum systems, with the goal of obtaining the functionality and efficiency of public- 
key cryptosystems but with information-theoretic security. They presented a secure one-time digital 
signature scheme for signing classical messages, based on Lamport's classical scheme [3]. 

In a public-key framework, Alice chooses a random private key, creates copies of the corresponding 
public key via some publicly-known algorithm, and distributes the copies in an authenticated fashion 
to all potential "Bobs". In principle, this asymmetric setup allows, e.g., any Bob to send encrypted 
messages to Alice or to verify any signature for a message that Alice digitally signed. By eliminating 
the need for each Alice-Bob pair to establish a secret key (in large networks where there may be many 
"Alices" and "Bobs"), the framework vastly simplifies key distribution, which is often the most costly 
part of any cryptosystem, compared to a framework that uses only symmetric keys. 

Some remarks about the quantum-public-key framework are in order. First, we address the issue 
of purity of the quantum public keys. In principle, the quantum public key can be either in a pure 
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or mixed state from Alice's point of view (a mixed state is a fixed probabilistic distribution of pure 
states). Gottesman and Chuang [2] assumed pure-state public keys. For digital signature schemes, 
this purity is crucial; for, otherwise, Alice could cheat by sending different public keys to different 
"Bobs". Purity prevents Alice's cheating in this case because different "Bobs" can compare their 
copies of the public key via a "distributed SWAP-test" [2] to check they are the same (with high 
probability), much like can be done in the case of classical public keys. But any scheme can benefit 
from an equality test, since an adversary who tries to substitute bad keys for legitimate ones could 
thus be caught. There is no known equality test guaranteed to recognize when two mixed states are 
equal. Thus, having mixed-state public keys seems to be at odds with what it means to be "public", 
i.e., publicly verifiable!! Even though the scheme we present in this paper does not make explicit use 
of the "distributed SWAP-test" (because we assume the public keys have been securely distributed) , it 
can do so in principle. We view this as analogous to how modern public-key protocols do not specify 
use of an equality test among unsure "Bobs" , but how such a test is supported by the framework to 
help thwart attempts to distribute fake keys. 

Second, we address the issue of usability of quantum-public-key systems. The states of two quantum 
public keys corresponding to two different private keys always have overlap less than (1 — 5), for some 
positive and publicly known 5. Thus, a striking aspect of the quantum-public-key framework is that 
the number of copies of the public key in circulation must be limited (if we want information-theoretic 
security). If this were not the case, then an adversary could collect an arbitrarily large number of 
copies, measure them all, and determine the private key. By adjusting protocol parameters, this limit 
on the number of copies of the quantum public key can be increased in order to accommodate more 
users (or uses; see next paragraph for a discussion on "reusability"). Thus, in practice, there is no 
restriction on the usability of a quantum-public-key system as long as an accurate estimate can be 
made of the maximum number of users/uses. 

Presumably, adjusting the protocol parameters (as discussed above) in order to increase the maxi- 
mum number of copies of the quantum public key in circulation would result in a less efficient protocol 
instance, and this is one kind of tradeoff between efficiency and usability in the quantum-public-key 
setting. Another kind concerns reusability. The abovementioned digital signature scheme is "one-time" 
because only one message may be signed under a particular key-value (even though many different 
users can verify that one signature). If a second message needs to be signed, the signer must choose a 
new private key and then distribute corresponding new public keys. One open problem is thus whether 
there exist reusable digital signature schemes, where either the same copy of the public key can be 
used to verify many different message-signature pairs securely, or where just the same key- values can 
be used to verify many different message-signature pairs securely (but a fresh copy of the public key 
is needed for each verification). The latter notion of "reusability" is what we adopt here. 

In this paper, we consider an identification scheme, which, like a digital signature scheme, is a 
type of authentication scheme. Authentication schemes seek to ensure the integrity of information, 

3 Other authors have defined the framework to include mixed public keys, and Ref. [3] proposes an encryption scheme 
with mixed public keys that is reusable and unconditionally secure [5]. 
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rather than its privacy. While digital signature schemes ensure the integrity of origin of messages, 
identification schemes ensure the integrity of origin of communication in real time pQ. Identification 
protocols are said to ensure "aliveness" — that the entity proving its identity is active at the time the 
protocol is executed; we describe them in more detail in the next section. 

We prove that an identification scheme based on the one in Ref. [B] is secure against a computationally- 
unbounded adversary (only restricted by finite cheating strategies), demonstrating for the first time 
that unconditionally-secure and reusable public-key authentication is possible in principle. We regard 
our result more as a proof of concept than a (potentially) practical scheme. Still, we are confident 
that an extension of the techniques used here may lead to more efficient protocols. 

We now proceed with a description of the protocol (Section [2]) and the security proof (Section [3]). 

2 Identification Protocol 

In the following, Alice and Bob are always assumed to be honest players and Eve is always assumed 
to be the adversary. Suppose Alice generates a private key and authentically distributes copies of the 
corresponding public key to any potential users of the scheme, including Bob. 

Here is a description (adapted from Section 4.7.5.1 in Ref. [7]) of how a secure public- key iden- 
tification scheme works. When Alice wants to identify herself to Bob (i.e. prove that it is she with 
whom he is communicating), she invokes the identification protocol by first telling Bob that she is 
Alice, so that Bob knows he should use the public key corresponding to Alice. The ensuing protocol 
has the property that the prover Alice can convince the verifier Bob (except, possibly, with negligible 
probability) that she is indeed Alice, but an adversary Eve cannot fool Bob (except with negligible 
probability) into thinking that she is Alice, even after having listened in on the protocol between Alice 
and Bob or having participated as a (devious) verifier in the protocol with Alice several times. Public- 
key identification schemes are used in smart-card systems (e.g., inside an automated teller machine 
(ATM) for access to a bank account, or beside a doorway for access to a building); the smart card 
proves its identity to the card readerS 

Note that no identification protocol is secure against an attack where Eve concurrently acts as 
a verifier with Alice and as a prover with Bob (but note also that, in such a case, the "aliveness" 
property is still guaranteed). Note also that, by our definition of "reusable," an identification scheme 
is considered reusable if Alice can prove her identity many times using the same key-values but the 
verifier needs a fresh copy of the public key for each instance of the protocol. 

Note also that public-key identification can be trivially achieved via a digital signature scheme 
(Alice signs a random message presented by Bob), but we do not know of an unconditionally-secure 
and reusable digital signature schemeU Similarly, public-key identification can be achieved with a 

4 Note that it is not a user's personal identification number (PIN) that functions as the prover's private key; the PIN 
only serves to authenticate the user to the smart card (not the smart card to the card reader). 

5 Pseudo-signature schemes, such as the one in Ref. [8], are information-theoretically secure but assume broadcast 
channels. 
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public-key encryption scheme (Bob sends an encrypted random challenge to Alice, who returns it 
decrypted), but we do not know of an unconditionally-secure and reusable public- key encryption 
scheme (that uses pure-state public keys; though, see Ref. [9] for a promising candidate). 

2.1 Protocol specification 

The identification protocol takes the form of a typical "challenge-response" interactive proof system, 
consisting of a kernel (or subprotocol) that is repeated several times in order to amplify the security, 
i.e., reduce the probability that Eve can break the protocol. The following protocol is a simplification 
of the original protocol from Ref. [B] (but our security proof applies to both protocols, with only minor 
adjustments). We assume all quantum channels are perfect. 

Parameters 

• The security parameter s 6 Z + 

o equals the number of kernel iterations. 

o The probability that Eve can break the protocol is exponentially small in s. 

• The reusability parameter r G Z + 

o equals the maximum number of copies of the quantum public key in circulation and 

o equals the maximum number of times the protocol may be executed by Alice, before she 
needs to pick a new private key. 

Keys 

• The private key is 

(x 1 ,x 2 ,...,x s ), (1) 

where Alice chooses each xj, j = 1,2, ... ,s, independently and uniformly randomly from 
{l,2,...,2r + l}. 

o The value Xj is used only in the jth kernel-iteration. 

• One copy of the public key is an s-partite system in the state 

®S =1 |^>, (2) 

where (omitting normalization factors) 

|^):=|0) + e 2 ^/( 2r+1) |l). (3) 
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o Alice authentically distributes (e.g. via trusted courier) at most r copies of the public key. 

o The jth subsystem of the public key (which is in the state \ip Xj )) is only used in the jth 
kernel-iteration. 

Actions 

• The kernel KL(x) of the protocol is the following three steps, where we use the shorthand 

<j> x := 27rx/(r + 1), (4) 

and where we have dropped the subscript "j" from u Xj": 

(1) Bob secretly chooses a uniformly random bit b and transforms the state of his authentic 
copy of \ijj x ) into |0) + (-l) b e t<t>x |1). Bob sends this qubit to Alice. 

(2) Alice performs the phase shift |1) i— > e - *^ |1) on the received qubit and then measures 
the qubit in the basis {|0) db |1)} (in order to determine Bob's secret b above). If Alice gets the 
outcome corresponding to "+", she sends to Bob; otherwise, Alice sends 1. 

(3) Bob receives Alice's bit as b' and tests whether b' equals b. 

• When Alice wants to identify herself to Bob, they take the following actions: 

(i) Alice checks that she has not yet engaged in the protocol r times before with the current 
value of the private key; if she has, she aborts (and refreshes the private and public keys). 

(m) Alice sends Bob her purported identity ("Alice"), so that Bob may retrieve the public 
keys corresponding to Alice. 

(Hi) The kernel fC(x) is repeated s times, for x = x\, X2, ■ ■ ■ ,x s . Bob "accepts" if he found 
that b' equaled b in all the kernel iterations; otherwise, Bob "rejects". 

2.2 Completeness of the protocol 

It is clear that the protocol is correct for honest players: Bob always "accepts" when Alice is the 
prover. In the Appendix ( "Section [3]' ) , we prove that the protocol is also secure against any adversary 
(only restricted by finite cheating strategies): given r and e > 0, there exists a value of s = s(r, e) such 
that Bob "accepts" with probability at most e when Eve is the prover. 

3 Security 

Let us clearly define what Eve is allowed to do in our attack model. Eve can 

• passively monitor Alice's and Bob's interactions (which means that Eve can read the classical 
bits sent by Alice, and read the bit that indicates whether Bob "accepts" or "rejects"), and 
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• participate as the verifier in one or more complete instances of the protocol, and 

• participate as the prover, impersonating Alice, in one or more complete instances of the protocol. 

Eve is assumed not to be able to actively interfere with Alice's and Bob's communications during the 
protocol, as this would allow Eve to concurrently act as verifier with Alice and as prover with Bob 
(thus trivially breaking any such schem^l). 

Evidently, Eve's passive monitoring only gives her independent and random bits (and the bit 
corresponding to "accept"), thus giving her no useful information (in that she may as well generate 
random bits herself). So, we can ignore the effects of her passive monitoring. 

With regard to Eve acting as verifier, we will give Eve potentially more power by assuming that 
Alice, instead of performing both the phase shift and the measurement in Step 2 of the kernel JC(x), only 
performs the phase shift (Eve could perform Alice's measurement herself, if she desired). Furthermore, 
we will assume that the phase shift Alice performs is 



"6. 
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(5) 



Even though Alice actually performs the inverse phase shift U-^ x , note that the two phase shifts are 
equivalent in the sense that Zu^ Z equals U-a up to global phase, where 



1 
-1 



(6) 



Thus the protocol is unchanged had we assumed that Alice, instead of performing U- ( j )x in Step 2 of 
the kernel KL(x), performs Zua x Z. Since Eve can perform Z gates on her qubit immediately before 
and after she gives it to Alice, our assumption indeed gives Eve at least as much power to cheat. Thus, 
Eve can effectively extract up to r black boxes for um from Alice (recall Alice only participates in the 
protocol r times before refreshing her keys). 

We will also give Eve potentially more power by giving her a black box for in place of every 
copy of \ip x ) that she obtained legitimately. For each x S {x±, x% . . . , x s }, let t be the total number of 
black boxes for that Eve has in her possession; that is, for simplicity, and without loss of generality, 
we assume she has the same number of black boxes u^ x for each value of x. Note that t < (2r — 1), 
since we always assume that at least one copy of the public key is left for Bob, so that Eve can carry 
out the protocol with him. 

Therefore, to prove security in our setting, it suffices to consider attacks where Eve first uses 
her st black boxes to create a reference system in some (4> Xl , 4 > x 2 i ■ ■ ■ > <^x s )-dependent state, denoted 



6 For password-based identification in a symmetric-key model, as in Ref. [10], where both Alice and Bob know 
something that Eve does not (i.e. the password), one can define a nontrivial "man-in-the-middle" attack, where Eve's 
goal is to learn the password in order to impersonate Alice in a later instance of the protocol. However, in public-key 
identification, Eve's goal of learning the private key may, without loss of generality, be accomplished by participating as 
a dishonest verifier and by obtaining copies of the public key, since Bob does not perform any action that Eve cannot 
perform herself given a copy of the public key. 
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I ^R^xi ) > • • • i tyxs)) i an d then she uses this system while she participates as a prover, impersonating 
Alice, in one or many instances of the protocol in order to try to cause Bob to "accept". We use the 
following definition of "security": 

Definition 1 (Security). An identification protocol (for honest prover Alice and honest verifier Bob) 
is secure with error e if the probability that Bob "accepts" when any adversary Eve participates in 
the protocol as a prover is less than e. 

The only assumption we make on Eve is that her cheating strategy is finite in the sense that her 
quantum computations are restricted to a finite-dimensional complex vector space; the dimension 
itself, though, is unbounded. 

We will assume that Eve has always extracted the r black boxes for from Alice (for all x = 
xi, X2, ■ ■ ■ , x s ), and we define t 1 to be the number black boxes that Eve obtained legitimately (via 
copies of the public key): 



Note that Eve can make at most (r — t') attempts at fooling Bob, i.e., causing Bob to "accept". Let 
E(a, b) denote the event that Eve fools Bob on her ath attempt using b black boxes for u^ x for all 
x = x\, X2, ■ ■ ■ , x s . Most of the argument, beginning in Section [37TT is devoted to showing that 



for some positive constant c defined at the end of Section [3l In general, Eve learns something from 
one attempt to the next; however, because Eve can simulate her interaction with Bob at the cost of 
using one copy of \tp x ) per simulated iteration of fC(x), we have, for I = 2, 3, . . . , (i — t'), 



t = r + t'. 



(7) 



Pr[£(l,t)] < (l-c/(t + 2) 2 ) 



(8) 



Pv[E{£,t)} < Pv[E{l,t + £-!)]. 



(9) 



Given this, we use the union bound: 



Pr[Eve fools Bob at least once, using t black boxes for u^ x , Vx] 

r-f 



(10) 




(11) 




(12) 



r-f 




(13) 



< (r-t')(l-c/(2r + l) 2 ) 



(14) 
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since t + £ < 2r. It follows that the probability that Eve can fool Bob at least once, that is, break the 
protocol, is 

^break<^(l-c/(2r + l) 2 ) s , (15) 

which, for fixed r, is exponentially small in s. Note that this bound is likely not tight, since it ultimately 
assumes that all of Eve's attempts are equally as powerful. In particular, this bound assumes that 
Eve's state \^r(4> Xi , (p X2 , . . . , 4> Xa )) does not degrade with use. A more detailed analysis using results 
about degradation of quantum reference frames [11] may be possible. 

From Eq. (|15|) follows our main theorem (see Appendix A. 3 for the proof): 

Theorem 1 (Security of the protocol). For any e > and any r G Z + ; the identification protocol 
specified in Section \2.1\ is secure with error e according to Definition^ if 

s > (2r + l) 2 log(r/e)/c, (16) 

for some positive constant c. 

The theorem shows how the efficiency of the protocol scales with its reusability: it suffices to have 

s S 0(r 2 log(r/e)). (17) 
The remainder of the paper establishes the bound in Line ©. 

3.1 Sufficiency of individual attacks 

At each iteration, we may assume Eve performs some measurement, in order to get an answer to send 
back to Bob. Generally, Eve can mount a coherent attack, whereby her actions during iteration j may 
involve systems that she used or will use in previous or future iterations as well as systems created 
using black boxes for u^ x for any k — not just for k = j. Since each Xj is independently selected from 
the set {1, 2, . . . , 2r + 1}, intuition suggests that Eve's measurement at iteration j may be assumed to 
be independent of her measurement at any other iteration and in particular does not need to involve 
any black boxes other than ones for u^ x . . In other words, it seems plausible that the optimal strategy 
for Eve can consist of the "product" of identical optimal strategies for each iteration individually. This 
intuition can indeed be shown to be correct by combining a technique from Ref. [12], for expressing 
the maximum output probability in a multiple-round quantum interactive prototol as a semidefinite 
program, with a result in Ref. |13| . which implies that the semidefinite program satisfies the product 
rule that we need; see Appendix A.l for a proof. 

The remainder of Section [3] establishes the following proposition: 

Proposition 2. The probability that Eve guesses correctly in any particular iteration j, using t black 
boxes for u^ ,, is at most (1 — c/(t + 2) 2 ) for some positive constant c. 

Assuming Proposition [21 the result proved in Appendix A.l implies that the probability of Eve's 
guessing correctly in all s iterations, using t black boxes for u^ x , for x = x\, X2, ■ ■ ■ , x s , is at most 
(1 — c/(t + 2) 2 ) s , establishing the bound in Line ([8]). 
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3.2 Equivalence of discrete and continuous private phases 

To help us prove Proposition [21 we now show that, from Bob's and Eve's points of view, Alice's 
choosing the private phase angle 4> x from the discrete set {2irx/(2r + 1) : x = 1, 2, . . . , 2r + 1} is 
equivalent to her choosing the phase angle from the continuous interval [0, 2tt). We have argued that 
the only information that Eve or Bob — or anyone but Alice — has about (ft x may be assumed to come 
from a number of black boxes for u^ x that can be no greater than 2r (there are r legitimate copies 
of the public key, and one can extract r more black boxes from Alice); let this number be d, where 
1 < d < 2r. 

In order to access the information from the black boxes, they must, in general, be used in a 
quantum circuit in order to create some state. Using the d black boxes, the most general (purified) 
state that can be made is without loss of generality of the form 

N-X ( d \ 
k=0 \j=0 J 

where {|cife) : k = 0, 1, ...,N — 1} is an orthonormal basis of arbitrary but finite size (the assumption 
of finite N comes from our restricting Eve to using only finite cheating strategies). In general, the 
numbers N and /3j k may depend on d. Here we have followed Ref. [14] by noting that each amplitude 
is a polynomial in e l ^ x of degree at most d\ this fact follows from an inductive proof just as in Ref. 
[15j . where the polynomial method is applied to an oracle revealing one of many Boolean variables. 

Averaging over Alice's random choices of x, one would describe the previous state by the density 
operator 



, 2r+l 

2r TT 2 MMMMl (19) 

x=X 



since x is chosen uniformly randomly from {1, 2, . . . , 2r + 1}. Had <f) x been chosen uniformly from 
{2irx/{2r + 1) : x 6 [0, 2r + 1)} = [0, 2ir), one would describe the state by 



2tt 







(20) 



It is straightforward to show^ that the above two density operators are both equal to 

N-l d 

E E&A'MM" (23) 
k,k'=0j=0 



7 This requires the following two facts: (1) for any integer a, 

2tt 



1 I iae AQ — J if a / 



2tt 



i 1 otherwise ; 
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Thus, without loss of generality, we may drop the subscript "x" on u (f> x n , write "eft" for Alice's private 
phase angle, and assume she did (somehow) choose <fi uniformly randomly from [0, 27r)|f] We are now 
ready to prove Proposition [2j 



3.3 Bound on relative phase shift estimation 

Eve's task of cheating in one iteration of the kernel may be phrased as follows. Eve is to decide 
the difference between the relative phases encoded in two subsystems R and S, where S is a given 
one-qubit system and R is under her control. The given subsystem S is in the state 

|V>s(^)> = |0> + e^|l>, (24) 

where is unknown and uniformly random in {0, tt}, and <j> is unknown and uniformly random in 
[0, 2ir\. Eve can make the state \ipR((f>)) of subsystem R by using arbitrary operations interleaved 
with at most t black boxes for the one-qubit gate iu. Note that the problem is nontrivial because </> 
is unknown and uniformly random and the qubit S is given to Eve after she has used all her black 
boxes. We seek the optimal success probability for Eve to guess 9 correctly. 

Eve's estimation problem can be treated within the framework of quantum estimation of group 
transformations [IT]- As such, we regard her problem as finding the optimal measurement (probability) 
to correctly distinguish the states in the two-element orbit 

{VgpVj :9e{0,ir}}, (25) 

where Vg = I R ® ( |0> <0| + e ie \l){\\) and 

^IM^HM^l ® \MM)(MM\- ( 26 ) 

The probabilities of her estimation procedure can be assumed to be generated by a POVM {Eq, E n }. 
In general, it is known how to solve for the POVM that performs optimally on average when the 
unitarily-generated orbit consists of pure states, but not when the orbit is generated from a mixed 
state (p, in our case). Thus, we now effectively reduce the problem to several instances of an estimation 
problem where the orbit is pure. 



and (2) for any integer p > 2 and integer a: 

p 



2niak/p _ J u ii a is not a multiple oi p, . > 

n I 1 otherwise , 

^ k=l ^ 

where the second fact is applied at p = 2r + 1. 

8 One way to interpret this result is that even if Alice encodes infinitely many bits into <j>, it is no better than if she 
encoded [log 2 (2r + 1)] bits. Note that if Eve performs an optimal phase estimation [16] in order to learn (j> and then 
cheat Bob, she can only learn at most [log 2 (2r — 1)J bits of <f> (here, we assume Eve has 2r — 1 copies of the public key, 
having left Bob one copy), whereas Alice actually encoded [log 2 (2r + 1)] bits into <j>. 
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Indeed, suppose that \iPr(4>)) were a state on q qubits that satisfied the property 



(27) 



for all £ [0,2vr]. Then, letting [fy = (u^)®( 9+1 ) and \^rs(^,9)) = |^r(^))|^s(&0)), we would have 
that 



^U^rs(0, 0))^ RS (0,0)\U ( 



^P«,|^s(0,0))(^ s (0,0)|P u 

^ ^ PwPPw ) 



(28) 
(29) 

(30) 



where is the projection onto the subspace of Hamming weight w = 0, 1, . . . , q + 1, and we used 
the formulas = J2 w Pw elw< ^ and 8 Wj q = J* (<i^/27r)e™^. In other words, the state p would be block 
diagonal with respect to the direct-sum decomposition of the total state space of R into subspaces of 
constant Hamming weight w. Then we would have that the probability that Eve guesses 9 = 9' given 
that 9 = 9" is 



Pr[Eve guesses 9 = 9'\9 = 9'' 



Tr 



Tr 



Tr 



E > [V e »pV, 



Ee>Vgn ^2 PwpPwVp, 

w 



(31) 



(32) 



(33) 



where E W) gi = P w Eg>P w , and we used cyclicity of trace and the fact that Vg and P w commute. Thus, 
the elements of Eve's POVM {Eq, E n } would without loss of generality have the same block diagonal 
structure as p. In principle, this would allow Eve to measure first (just) the Hamming weight of p in 
order to find w, and then deal with the group transformation estimation problem with respect to the 
pure orbit 



O w = {Vg\^ w ) :#G{0,7r}}, 



(34) 



where \^ w ) is the state such that \^ w ) oc P w \tpRs(0, 0)); we note that \^ w ) is independent of <fi (and 
9). The following lemma shows that, without loss of generality, we may assume that the situation just 
described is indeed the case: 



Lemma 3. Without loss of generality, Eve's state \iPr(4>))> which she prepares with at most t black 
boxes for u^, may be assumed to be on q = (2t + 1) qubits and satisfy 

\^r{4>))^r{4>)\ = (u^ q \^ R (o)){^(o)H) m 

for all <p £ [0, 2vr] . 



(35) 
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Proof. As noted in the previous section, using the t black boxes, the most general (purified) state of 
R that Eve can make is without loss of generality 

E [H^A \a k ) R , (36) 

fc=0 \j=0 J 

where, again, N is a priori unknown but finite (we use subscripts on the kets in this proof to indicate 
the physical systems). Note that we can rewrite the state in Eq. (f36j) by changing the order of the 
summations as 

t 



j=0 



Pje^l&R, (37) 



where we have defined the numbers (3j and the not-necessarily-orthogonal set of unit vectors ■ 
j = 0, 1, such that 

AT-l 

Pj\9j)R = E PjA a k)R- ( 38 ) 

Using the Gram-Schmidt orthonormalization procedure on {\(jj)}j to get the orthonormal set {\gj)}j, 
we can write 

t 

\9j)R = ^2lj,h\9h)R- (39) 

h=0 

Introduce a new system R' consisting entirely of qubits and define U to be any unitary map acting on 
R<g> R' that takes 10)^1^)^/ h-> \gh) R \ty R ', where {\ch) R'}h=o,i,...,t is an orthonormal set of size t + 1 
with elements that are computational basis states whose labels have constant Hamming weight; note 
that R' needs only 0(log(t + 1)) qubits whereas R is of unknown (but finite) size (however, following 
this proof, we will construct R' using t + 1 qubits, as this makes things simpler). We first claim that, 
without loss of generality, 

l<M0)> = J2^,h^ j<l, \S t j )A\c h ) R ', (40) 

where A is a t-qubit ancilla, and \Sj)a is the symmetric state of weight j. To see this, note that Eve's 
optimal measurement can include the following pre-processing operations (in sequence), so that she 
recovers the most general state in Eq. (|36p (and Eq. (|37p ) on R but for a different random value of </>: 

• add an ancillary register R in state \0)r in between the two registers A and R' and perform U 
on it! <g> R' to get (after throwing out system R') 

Y,^Y,^h^\S t ^ A \g h ) R = ^2f3 j e^\Sj) A \~g j ) R (41) 
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• on A, do the (t + l)-dimensional inverse quantum Fourier transform in the symmetric basis on 
A, i.e. mapping 

\S}) A ^^=J2e-^^\Sl) A , (42) 

to get 

EE^ eiJ( ^ 2 ^ /(t+1)) i4)^i^)« («) 

j v 

and measure the Hamming weight of A to get result yo, which leaves the state (after throwing 
out system A) 

Pje^-^'^+^^R (44) 

3 

• correct the relative phase on qubit S by l-Ky^jit + 1). 

Doing these operations does not change the estimation problem, since <f> is uniformly random anyway; 
these operations just change the unknown to (j)' = (f> — 2TTy /(t + 1). 

Finally, note that Eq. (|40p implies that \iPr(4>)) can be made from IV'.r(O)) with at most t black 
boxes for u^, by applying {u^)® 1 on the t qubits of system A, and note that \i/jji(4>)) satisfies Eq. (p7|) . 
since the states \ch) are of constant Hamming weight. □ 

Remark 4 (Quantum Fourier transform as analytical tool). Note that Eve's optimal strategy is not 
necessarily to measure R to get an estimate (j)' of (f> first, then apply on S, and then measure S 
to estimate 8. However, the operation that is optimal for estimating <f> (see Ref. 114V> ^.e. the inverse 
quantum Fourier transform applied above, is still useful as an analytical tool in order to derive (a 
convenient form of) an optimal state for her estimation of 9. 

Thus, by Lemma [3l we assume Eq. (|40p holds, which allows us to derive the following proposition. 
For convenience, we define 

aj,h = Pjlj,h- (45) 
Proposition 5. The elements of the POVM {Eo,E n } are without loss of generality defined as 

t+i 

E = |Ho>|0><Ho|(0| + El™>+}<™>+l (46) 

w=2 

t+1 

E n = £K -)<«;, "I +|S t )|l)(S f |(l|, (47) 

w=2 
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where 



\w, ±) = 4=(|S w -i) |0> ± |E ro _ 2 ) |1)), (48) 
and and are states such that, for j = 0, 1, . . . , t, 

The proof of Proposition [5] is similar to the argument given in Ref. [11] and is given in Appendix A. 2. 
The total success probability of Eve's strategy can now be computed as 

Pr[Eve guesses 9 = 8'\9 = 9']Pt[9 = 9'] (50) 

e'e{o,7r} 

= \ MEe'Vg'pV},) (51) 

6>'G{0,7r} 

= l MEe'V ei \^ R s(0,0))(^ R s(0,0)\V e \) (52) 

6»'G{0,7r} 

= l + \(iP R (0)\Mt\iP R (0)), (53) 



where 



t-i 



M t £|H i+1 )<S^|3^<H i+1 |. (54) 

3=0 

As a last task, we now seek the value of \iPr(0)) — i.e. the values of — such that {tfjji(0)\M t \i(>r(0)) 
is maximal. The proof of the following proposition is in Appendix A. 4: 



Proposition 6. The state |^(0)) oc X^'=o sm 



t+2 



achieves the maximum value in Eq. ft53\ 



Thus (as in Ref. [TT] — see Appendix A. 4), we get a maximal success probability of 

i + i cos(vr/(t + 2)) (55) 

11/ (vr/(t + 2)) 2 (vr/(f + 2))^ 

£ 2 + H 2! + 4! J (56) 

^ 2 1 vr 4 1 

+ 7^ 7^1 (57) 



4 (t + 2) 2 48 (t + 2) 4 
/r 4 
4b 

l-c/(t + 2) 2 , (59) 



<- ^(T-*i)jdw (58) 
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for the constant c = (vr 2 /4 — 7r 4 /48) = 0.438 and all t > 1. This completes the proof of Proposition [2] 
and thus the proof of Theorem [TJ 
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Appendices 

A.l Proof of sufficiency of individual attacks 

Consider the following non-cryptographic, (i+l)-round interactive protocol (or game) between Evelyn 
and Bobby (neither of whom is considered adversarial, hence we distinguish these two players from 
Eve and Bob), denoted C = £(3>), where 

$ = ($!, $ 2 ,..., (60) 

and the $j are quantum operations (super-operators) that specify Evelyn's actions in the game (the 
quantities r and t are as defined previously): 
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• (1') Bobby chooses a uniformly random x € {1, 2, . . . , 2r + 1} and sends a qubit in the state |0) 
to Evelyn (who can ignore this qubit — it carries no significant information). 

• (2') For i = 1,2,... ,t { 

o Evelyn performs the quantum operation $j on her system, and then sends one qubit 
to Bobby. 

o Bobby performs the unitary gate ua, x on the qubit received from Evelyn and sends it 
back to Evelyn.} 

• (3') Bobby chooses a uniformly random b £ {0, 1} and sends a qubit in the state |0) + (— l) b e t ^ x | 1) 
to Evelyn. 

• (4') Evelyn performs the quantum operation ^t+i on her system, and then sends one qubit to 
Bobby. 

• (5') Bobby measures the received qubit in the computational basis {|0) , |1)}, getting outcome 
or 1 (corresponding to |0) and |1) respectively); he tests whether this outcome equals b. 

The following proposition is straightforward to prove: 

Proposition 7. The probability that Eve, using t black boxes ua >x . ; causes Bob 's equality test to pass 
in a particular iteration j of the protocol in Section \2.1\ is at most 

a := max Pr [Bobby's equality test passes in £($)], (61) 

where $ ranges over all (t + l)-tuples of admissible quantum operations that Evelyn can apply in the 
game C. 

Now consider the parallel s-fold repetition of C, which we denote C^ s = C^ s (<&')> where now 
denotes Evelyn's quantum operation in C^ s . The following proposition is also straightforward to prove: 

Proposition 8. The probability that Eve fools Bob on the first attempt using t black boxes per x-value 
in the protocol in Section \2.1\ is at most 

a := maxPrfall of Bobby's equality tests pass in C^ s ($')], (62) 
<j>' 

where ranges over all (t + 1) -tuples of admissible quantum operations that Evelyn can apply in the 
game £^ s . 

Therefore, in order to prove that it is sufficient to consider individual (as opposed to coherent) 
attacks by Eve, it suffices to show that a' = a s . 

In Ref. [12], the above game is viewed as an interaction between a (t + l)-round (non-measuring) 
strategy and a (compatible) measuring co-strategy; Evelyn's operations <3? form the non-measuring 
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strategy and Bobby's actions form the measuring co-strategy (technically, Steps (1'), (3'), and (4') 
would have to be slightly modified in order to fit the co-strategy formalism: in Steps (1') and (3'), 
Bobby should make his random choices in superposition and use the quantum registers storing these 
choices as a control register whenever requiring these random values subsequently; in Step (4'), Bobby 
should only make one final measurement whose outcome indicates whether the equality test passes; 
we assume that these modifications have been made). 

For all i, let Xi and 3i be the input and output spaces, respectively, of Evelyn's quantum operation 
in C, i.e. <3?j : L (Xi) — > L (3^)> where L (Xi) is the space of all linear operators from the complex 
Euclidean space Xi to itself (and likewise for L (3^))- Let Pos (y <g> X) denote the set of all positive 
semidefinite operators in L (3^ <8> X), where y = 3^i <8> 3^2 <8> • • • <8> 3't+i (and similarly for X). For any 
Euclidean space Z, let Iz denote the identity operator Z. 

Ref. [12] shows that Evelyn's strategy can be equivalently expressed by a single positive semidefi- 
nite operator in Pos (3^ <8> X) while Bobby's measuring co-strategy can be expressed by the collection 
{-Bo, B\} of two positive semidefinite operators in Pos (3^ ® X), where, without loss of generality, we 
assume that Bq corresponds to the measurement outcome indicating that Bobby's test for equality in 
Step (5') passes. We briefly note that these positive semidefinite operators are the Choi-Jamiolkowski 
representations of quantum operations corresponding to the players' actions. A more general version 
of the following theorem is proved in Ref. [12] : 

Theorem 9 (Interaction output probabilities [12] ). For any non-measuring strategy X £ Pos (3^ <S> X) 

of Evelyn, the probability that Bobby's equality test passes is Tr(B^X). 

Using Theorem O it is shown, in the proof of Theorem 3.3 of Ref. [12], that the maximal probability 
with which Bobby's measuring co-strategy can be forced to output the outcome corresponding to Bq 
by some (compatible) strategy of Evelyn's can be expressed as a semidefinite (optimization) program 
(see Ref. [18] for a relevant review of semidefinite programming). Thus a and a' can be expressed, 
respectively, as solutions to the following semidefinite programs ir a and n a i: 

maximize: Tr(BjX) maximize: Tr((B^X) 

subject to: Tiy(X)=Ix, subject to: Try (X) = Ix>, 

X E Pos (y ® X) X £ Pos (y ® X') , 

where, for all i, X[ = Xf s and X' = X[ <8> X' 2 ® • • • <8> X( +1 (and similarly for y[ and y'). We note that 
the first constraint in each semidefinite program above codifies the property of trace-preservation for 
the quantum operation corresponding to X, while the second constraint codifies the property of com- 
plete positivity (see Ref. [18] for details). Furthermore, it is shown in Ref. [12] that such semidefinite 
programs (arising from interactions between strategies and compatible co-strategies) satisfy the con- 
dition of strong duality, which means that the solution to each semidefinite program above coincides 
with that of its dual. 

In Ref. j!3j . the following theorem is proven: 
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Theorem 10 (Condition for product rule for semidefinite programs [13]). Suppose that the following 
two semidefinite programs 7Ti and tt 2 satisfy strong duality: 



11 

maximize: Tr(j|w^) 
subject to: *i(W) = Ci, 
W e Pos(Wi) 



Hi 

maximize: Tr(j|M^) 
subject to: ^ 2 {W) = C 2 
W E Pos(W 2 ), 



where *i : L (Wi) — >• L (.2^) and ^2 : L (W2) — > L (2 2 ) ; /or complex Euclidean spaces W\,Z\, W 2 , -2^ 
and Ji E L(Wi) and J2 E L (W2) «re Hermitian. Let a(jri) and a(Tr 2 ) denote the semidefinite pro- 
grams' solutions. If Ji and J 2 are positive semidefinite, then the solution to the following semidefinite 
program, denoted m (8) n 2 , is a{ii\ (g> 7^) = a(7Ti)a(7T2).' 



Since -Bo is positive semidefinite and 7T a ' = tt® s (using the associativity of <8>), Theorem 1101 can be 
applied (s — 1) times in order to prove that a' = a s as required. See Ref. [12] for a similar approach, 
based on ideas in Ref. [19]. The idea of expressing the acceptance probability of a quantum interactive 
proof system as a semidefinite program first appeared in Ref. [20] , 

Note that this argument, combined with the arguments in the main body of the paper, shows that 
both the serial and parallel versions of our identification protocol are secure. 

A. 2 Proof of Proposition [5] 

Two facts hold without loss of generality: 

• the POVMs {E W} o, E Wt7r }, for all w, may be assumed to be covariant, i.e. E w ^ = VnE w <oVn 
(to see this, note that any not-necessarily-covariant POVM {F w q, F W7r } gives the same average 
probability of successfully guessing 8, given w, as the covariant POVM {E Wt o, E w ^ w } defined by 
E w ,o = (F Wt o + V^Fyj^V^/l); 

• each E w fi has support only on sp(O w ) and thus E W) q + E w>n = d sp (e> ro ), where I sp (p w ) is the 
identity operator on sp(O w ). 

To compute a basis of sp(O w ), we now further define the system R' in the proof of Lemma[3]to consist 
of exactly t + 1 qubits and the states \ch), h = 0, 1, . . . , t, to be all those computational basis states 
whose labels have Hamming weight 1 (thus q = 2t + 1, which is larger than necessary, but simplifies 
the structure of the POVMs). The total subspace 



7Ti 7T 2 

maximize: Tr((Ji <%> J^yW) 
subject to: \&i <g> ^ 2 {W) = C\ ® C 2 

W e Pos (Wi ® W 2 ) . 



S = sp ({|S-j)} J=0 ,...,t ® {\c h )} h=0 ,i,...,t ® {|0) , |1)}) 



(63) 
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supporting \tpRs((j>, 9)) breaks up into mutually orthogonal subspaces S w of weight w, i.e., spanned by 
computational basis states whose labels have Hamming weight w: 

Si = sp(|Sg)®{|ch)} h ®|0)) (64) 
S k = sp (l^i) ® {|c fc »fc <8> |0) , |5|_ 2 > ® ® |1» , (65) 

S t+2 = sp(|S?)®{| C/l )} h ®|l)), (66) 

for k = 2, 3, . . . , t + 1. Thus, for each w, we will do the following: 

• write P w in the basis in which S w is expressed in Eqs ([B4~]) . (f65j) . ([66]) . 



• derive an expression for Pw\ipRs(0,0)) (which is proportional to \^ w )) in order to find a basis 
for sp(O w ) = sp{\^ w ) ,V n l^io)} (which fully supports E Wj o), and 

• derive the form of E Wt o and thus, by covariance, the form of the POVM {E w $, E Wj7T } in each 
subspace S w . 

Recalling Eq. (|40p . it will be convenient to let ay ft = ^j9j,h an d so 

\i; R (0)) = Y,^h\Sj)\c h ). (67) 

j,h 

w = 1: 

Writing 

Pi 1^(0,0)) (68) 
= l 5 o)^ol ® l<*><<*| C$ |0)<0|^ |^(0)) (|0) + |1»/V2 (69) 

= \Sl) [^[((SlKchl |^(0)»/V2]|^ |0) (70) 

= K>feK^]l^|0), (71) 

we see that T^-I^i) = l^i) so that E\$ = E\ :1T = |So) |0) (So| (0|, where |Ho) is a state such that 

|S )oc|^)^Kfe/v / 2]|c /l ). (72) 

h 

We note that getting the outcome corresponding to this POVM element does not give any information 
about 9\ we arbitrarily assign a guess of "(9 = 0" to this outcome, without affecting optimality (since 
9 is a priori uniformly distributed). 
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mg{2,3,...,t + l}: 

Similarly, we can write 

P w \*Prs (0,0)) (73) 
= |S* -i> (^[c^- lth /V^\c h )j |0) + (74) 

|S4_ 2 ) ^[^-Wv^ll^J |1>- (75) 

Chiribella et al. [T7] show that E w o may be assumed to have rank 1 without loss of generality. Thus 
£^0 m ay be written |7/ w ,)(t/ 1u |, where 

\rj w ) = a|H UJ _ 1 )|0) + 6|^_ 2 )|l), (76) 

for some complex coefficients a and b, such that \a\ 2 + \b\ 2 = 1, where |S w _i) and IE,,,— 2) are states 
such that, for j = 0, 1, . . . , t, 

l^oc^^l^K). (77) 

We have (using covariance to get E w ^) 

E w fl + E W7V (78) 
= 2(\a\ 2 \Z w _ 1 )\0)(~ w „ 1 \(0\ + \b\ 2 \E w „ 2 )\l)(E w _ 2 \{l\). (79) 



But 



-^tu.o + E w>n (80) 

= 4p(O w ) (81) 
= |H w _i) |0) (S w _x| (0| + |H ro _ 2 ) |1) (H w _ 2 | (1| . (82) 

Equating the two expressions implies that 

|»to> = ^(|S«-i> |0) +e 1 ^ |S U) _ 2 ) |1)), (83) 

for some phase But we must have ^ w = since E w< q corresponds to the guess "6 = 0". 
w = t + 2: 

Similar to the case w = 1 and using the definition from Eq. ([77]) . we have £t+2,o = E t +2,w = 
| Ht) |1) (S t | (1|. We assign the guess "6> = 7r" to getting the outcome corresponding to this POVM 
element. 
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To summarize, the elements of the overall POVM {Eo,E n } describing the measuring-and-guessing 
strategy may be expressed 



t+i 



E Q = |H o )|0)(Ho|(0| + ^K+)(^+| (84) 

to=2 

t+1 

E n = ^2\w,-)(w,-\ + |H t )|l) (3t|(l|, (85) 



w=2 

where 

K±) = ^(|S«-i) |0> ± |S™- 2 > (86) 

A. 3 Proof of Theorem [TJ, assuming Eq. ( 115ft 

For security with error e, we require 

r(l-c/(2r + l) 2 ) s <e, (87) 
which, by taking the logarithm of both sides, is equivalent to 

s > log(e/r)/log(l - c/(2r + l) 2 ). 



Using the series expansion log(l — x) = — (x + x 2 /2 + x 3 /3 + • • • ), the right-hand side of Eq. ([88]) is 
upper-bounded by 

(2r + l) 2 log(r/e)/c, (89) 

from which the theorem follows. 
A. 4 Proof of Proposition [6] 

This maximization problem is very similar to that in Ref. where it was required to maximize 

(C|M/|C) over all states |0 G sp{|j) : j = 0, 1, . . . , t} for 

M * =Z)lJ + 1 >01 + li><i + i|- (90) 

i=o 



In fact, in light of Eq. ([40 p . the phase estimation problem in Ref. may be viewed as the same 
as the one we consider, but where Eve does not have access to the register R' . (Indeed, our optimal 
success probability cannot be less than that in Ref. [11] , since at the very least Eve can forgo the use 
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of the ancillary register R' .) Finally, below, we show that our optimal success probability is exactly 
equal to that obtained in Ref. 

Let a'j h denote the optimal values for our maximization problem, and let M*, \ipn(0)*), and \Bj) 
denote the values of M t , \iPr(0)), and \Ej) at those optimal values. Note that {\Ej) : j = 0, 1, . . . , t} is 
orthonormal for all values of Oij t hi thus : j = 0, 1, . . . , t} is orthonormal. Consider now optimizing 

Mf over all unit vectors £ sp{|S-) : j = 0, 1, . . . , £} for fixed M*; denote the optimal as 
1^*). It must be that 

m Mt m > (^(o)i Mt imw) , (si) 

since \i/} R (0)*) G sp{|H*) : j = 0,1,..., t} by inspecting Eqs (JBT} and (jTTJ). Now note that the 
coefficients of with respect to the basis {|H|) : j = 0, 1, . . . , t} must be precisely those coefficients 
of the optimal \Q with respect to the standard orthonormal basis {\j) : j = 0, 1, . . . , £} found in Ref. 
[llj ; otherwise, substituting the coefficients of would give a higher maximum than that in Ref. 

(The argument works because, in both cases, the orthonormal basis is fixed for the optimization.) 
Therefore, we have, as in Ref. 

t 

3=0 



{j + ]> 

t + 2 



(92) 
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